Yes, that should work. My plugin will scan all the files under the root directory of any WordPress install, even if the files are not related to WordPress.
You missed the .htaccess file in your public_html directory!
This file still has all that BPS code in it, including the 403 that is blocking my dynamic JavaScript that you want to work. That .htaccess file is on level up ,outside the site’s root directory, so it will actually affect all the site that you have inside your public_html directory (not a good idea, IMHO).
There was also an .htaccess file in /wp-content/ for this site which contains this code (which might also cause problems):
<FilesMatch "\.(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
The Quarantine is really just a record of the the malicious code that was removed. Those files are now clean and the prior contents are encoded into your database as a custom post_type. Don’t delete the files that those records refer to because they are clean but you can delete the records from the Quarantine if you want to. Personally, I find the Quarantine to be very useful for later reference, in case the site gets hacked again, you can compare the files and dates of the infection and you can also restore any of those files if the need arises. I suppose the only harm that could come from leaving those records in the quarantine is that an admin could accidentally restore the infected files at a later date.
On another subject, I just wanted to say what a pleasant surprise it was to wake up this morning and find you brilliant review and rebuttal in my behalf on wordpress.org, not to mention that very generous donation you made. Thank you!
“No response from server” means that there is something on your server that is blocking my patch. If you want to send me your wp-admin login then I would be happy to take a look at it an let you know what the problem is.
That kind of code is usually in a plugin or theme. Try deactivating plugins until you don’t see that message any more. If that doesn’t work try downloading a totally new theme and activate it to see if that gets rid of the message. If neither of those option affects the output buffer message then you could also get the Core Files definition and see it that files any WP Core files that have been modified.
I don’t see that Spam code on your site, did you remove it already?
If you still see it then please send me a screenshot so I know where to look for it.
Thanks, I’m still working on it and I now have two different direction that I’m going to get a scheduled scan to work. One of them should be ready for testing some time next month.
Click “Edit” under the Appearance menu in your wp-admin, then find the header link to the right.
So first of all Sucuri calls this “MW:BLK:2″ but that’s only Sucuri’s generic designation for link to a blacklisted site. My plugin (nor anyone else’s for that matter) will ever refer to any given threat with the as Sucuri does with their MW:ABC:123 type names for things.
What the are picking up on is a link to a javascript file in your header, and the only problem with that is that it is loading that file from the remote site stg.odnoklassniki.ru which Sucuri says is blacklisted. Here is the code they are finding in your header:
<script type='text/javascript' src='http://stg.odnoklassniki.ru/share/odkl_share.js?ver=4.4'></script>
To be fair I am not sure this is actually malicious code. It looks like some kind of share button and the only people who have blacklisted this Russian domain is Sucuri themselves. Just look at all the other security websites that say that domain is clean:
Domain blacklisted by Sucuri Malware Labs: stg.odnoklassniki.ru
Domain clean by Google Safe Browsing: stg.odnoklassniki.ru
Domain clean by Norton Safe Web: stg.odnoklassniki.ru
Domain clean on Phish tank: stg.odnoklassniki.ru
Domain clean on the Opera browser: stg.odnoklassniki.ru
Domain clean by SiteAdvisor: stg.odnoklassniki.ru
Domain clean on SpamHaus DBL: stg.odnoklassniki.ru
Domain clean by Bitdefender: stg.odnoklassniki.ru
Domain clean on Yandex (via Sophos): stg.odnoklassniki.ru
Domain clean by ESET: stg.odnoklassniki.ru
This might also be a post size limitation. If you cannot figure out what it is on your server that is blocking the manual downloading of the definition updates then you could donate $29 to use the Automatic update method, which cannot be blocked by post limits and it also gives you the Core Files definitions and the Brute-Force Protection.
Actually your site looks clean to me. Those Sucuri results are actually NOT CORRECT. This is a False Positive from Sucuri.net as you can see from their “View Payload” link:
Hyatt Hotels Payment System Hacked By Credit-Card Stealing Malware
It looks to me like you wrote an article on your site that mentions this “Hotel Hack” and Sucuri has misinterpreted the words “Hacked By Credit-Card…” as a defacement when it’s really not 
Thank you, I’m sorry to hear that you are having so much trouble staying clean. It sounds like you have a lot of sites on a shared hosting server that is not secure enough to keep the hackers out.
The problem with conventional shared hosting is that if any of those sites has a back-door or a vulnerability on it that let hacker write files to your server then they will be able to reinfect all your sites on that server as often as they want to. It is extremely hard to track down exactly how they are getting in and plug up every security hole and back-door they open, especially if you have a lot of sites on there. Furthermore, it is possible that they are getting in through a site on someone else’s account that is not even within your power to fix.
I do offer Super Secure Hosting and I’m sure that would take care of this cross-contamination issue for you. If you would be open to moving your sites to my servers just let me know how many sites you are interested in hosting with me and I’ll let you know what it would entail.
I don’t want to market my plugin outside of WordPress right now. I have found that it works best on open-source code. I don’t know anything about xenforo but some non-open-source developers use the same methods to encrypt or obfuscate their code as hackers do which could lean to a high rate of false positives.
If you are not sure about the code in xenforo that my plugin has found then you should examine it or even try to decrypt it first to see what it does. If your don’t know what it is or how to do that you can zip it up and send it to my and I’ll take a look at it.
That code in the GoDaddy plugin is intentional but also unsafe. They should use passthru not include so that if the images contained PHP code it would not be executed (bad coding on their part).
You can fix that threat or ignore it, it won’t make any noticeable difference on your site and it won’t affect the HTTPS issue you are having.
You should make sure your “home” and “siteurl” values in the wp_options table match up with what you have instructed google to index in your sitemap. Also make sure there are no .htaccess redirects to the site without the HTTPS if you want to use the secure URL.
Which threat was this?
If you can send me the whole code so I can see what threat it’s finding then I can improve that definition so that it stops grabbing the PHP bracks at the end of the line.
